This update to the Cloudsmith CLI introduces programmatic management for Policy Deny Rules, standardizes pagination parameters across the CLI, and upgrades core dependencies.

The CLI now supports full lifecycle management for Policy Deny Rules, enabling tighter integration with infrastructure-as-code workflows. Users can list, create, update, and delete deny policies directly via the command line.

cloudsmith policy deny create <org> POLICY_CONFIG_FILE

cloudsmith policy deny update <org> POLICY_CONFIG_FILE

 for contributing this feature. We welcome community pull requests and feedback to help drive the CLI forward.

To improve consistency, we have updated how pagination is handled across the CLI.

 is the new standard flag for listing all results, replacing 

 remains available as an alias, so existing scripts will not break. However, we recommend updating to 

 as values to instantly retrieve all results.

 Fixed the entitlement token list command to correctly support the new 

 Resolved a dependency conflict preventing installation on Python 3.9 environments.

For a full summary of changes, please visit the 

CLI v1.10.1: Policy deny rules and usability improvements

You can now download auto-generated Software Bills of Materials (SBOMs) for your Docker and OCI images directly from the Cloudsmith web app. This allows you to instantly export supply chain data for use in analysis tools or alongside release documentation.

Previously, SBOMs generated by Cloudsmith were only accessible via the 

. Instead of scripting an API call to retrieve the manifest for a specific image, you can now grab the 

 file with a single click, making SBOMs accessible to a broader range of users.

Click the Actions menu → "Download SBOM"

Downloads are provided in CycloneDX format.

This feature applies only to SBOMs automatically generated by Cloudsmith during the container image synchronization process.

Cloudsmith automatically generates SBOMs for Docker V2 and OCI V1 images.

​​This feature is live and available immediately for all Docker images. If you have any questions or feedback, please 

Download SBOMs directly from the web app

 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

New data sources and expanded upstream support added to the Cloudsmith Terraform Provider

Cloudsmith now provides official upstream proxying and caching support for 

 in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

 Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.

 Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.

 Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in 

 Chainguard's dependencies are built using their hardened 

, providing verifiable software provenance.

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

Chainguard Libraries for Javascript Upstream (Priority 1)

 Add the Username and Password value from your Chainguard Libraries access settings.

Public npm Registry Upstream (Priority 2 - Fallback)

 for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.

Upstream Support for Chainguard Libraries for Javascript (npm)

 flag to the Cloudsmith CLI, which simplifies your automation scripts by eliminating the need for pagination logic. Previously, fetching large datasets required looping to iterate through 

. Now, the CLI automatically handles the underlying pagination, fetching every requested item and returning the full list instantly. This lets you simplify your scripts and maintain less code.

 flag to the following commands that support pagination:

Simplify your automations with the new show all flag

. This enables you to define policies that automatically quarantine new packages for a specific time period (e.g., two weeks) after release.

Implementing policies that delay package use is an effective safeguard to protect against zero-day attacks. Enforcing a time lag before consuming a new package or package version gives the community time to find and flag any problems and for intelligence feeds to get updated.

A policy that quarantined npm packages published in the past two weeks 

would have protected organizations during the September 8, 2025 npm attack

 which compromised widely used packages like 

Within two hours, the community had flagged the problem, but automated CI/CD pipelines had already downloaded the latest versions, the ones containing the malicious code.

When used alongside an EPM policy in Cloudsmith to block or quarantine all known malicious packages, you’ll have protection against zero-day attacks and known malicious packages, ensuring these packages never make it into your software supply chain. For more security rules, check out our 

The following Rego code defines a policy that matches and quarantines npm packages whose upstream publish date is within the last 

Upstream publish date is available for npm packages

, with additional formats coming soon. Learn more in the Enterprise Policy Manager 

Enforce vetting for npm packages with publish date policies

Cloudsmith’s Enterprise Policy Manager (EPM)

 data to enable powerful, component-level policies for Docker and OCI container images.

This upgrade extends EPM policy enforcement beyond basic package metadata to the internal components of an image, giving you more control over the composition of containers used within your organization.

With SBOM data, you can now apply EPM policies based on:

 Target specific components by name or other attributes.

 Enforce license compliance by applying rules based on the licenses of any component within the container.

Cloudsmith generates CycloneDX SBOMs for every Docker image or container image uploaded to Cloudsmith.

The SBOM data is made available within the EPM schema (input.v0.sbom field) in the native CycloneDX Bill of Materials JSON format.

You can use any of the available fields in the JSON file to create your own policies. In addition to exploring the schema, 

All standard EPM actions (including block, quarantine and tag) are available when creating policies based on SBOM data.

Here is a simple policy to enforce a strict set of allowed licenses:


This capability is in Early Access, available to Ultra and Enterprise customers via Enterprise Policy Manager. Learn more in the Enterprise Policy Manager 

Get more control over containers with SBOM-based policies in EPM

Monitoring the software licenses in use across your organization is critical. Stripping out dependencies that can't be incorporated into commercial software, or don't conform to your corporate licensing policies, is expensive and time consuming. Getting early visibility over software licenses in use by your teams is the goal.

Cloudsmith's web app now gives you a breakdown of your packages by license, and lists packages with no apparent software license. 

If you're a workspace Owner or Manager, you'll find software license information under Compliance at both a workspace and repository level. You'll see a breakdown of packages by license, with quick filters showing packages with 

. You can also edit and override  license information associated with a specific package if required.

Cloudsmith Changelog